Linux developer Matthew Garrett has released a version of his Shim Secure Boot bootloader that allows any Linux distribution to be launched on Secure Boot systems without the need to disable UEFI Secure Boot. As Garrett's Shim binary has been signed by Microsoft, the Secure Boot bootloader will be executed by almost any type of UEFI firmware.

Note that Mathew Garrett's Shim is source code that will have to be compiled and include the location of the signed key for the Shim to verify before allowing the boot loader to run.

While one advantage of keeping the Secure Boot feature allows a user to dual boot or multi-boot other operating systems along with Windows 8, another is so that supposedly the computer cannot be booted from a portable OS on a flash drive in the event the computer is stolen... thus preventing a thief from accessing the main hard drive(s) and stealing one's data.

I don't fully understand how Secure Boot is supposed to work vis a vis the boot loader. Is there a new signed key generated each time the Shim is compiled? What is to prevent a thief from downloading Garrett's Shim and using it in conjunction with a portable operating system on a flash drive so as to access one's data on a stolen notebook?

Monsie_________________My username is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.

Note that Mathew Garrett's Shim is source code that will have to be compiled and include the location of the signed key for the Shim to verify before allowing the boot loader to run.

Monsie

Source code and signed binaries are available. Garrett explains that Linux distributors simply need to sign their UEFI bootloader (grubx64.efi) with a separate key, include this key on their installation medium and tell their users where to find the key when the Shim asks for it._________________Classic Opera 12.16 browser SFS package for Precise, Slacko, Racy, Wary, Lucid, etc available here

If it gets to the point where one cannot disable UEFI in the PCs BIOS, that could come in very handy to be able to boot ones OS of choice.
I had read that some new HP pcs have UEFI and one has to go into BIOS and select Legacy Boot to get around it.
That is not to say that the option will be there in the future.
So I have downloaded all the files you referenced just to have them on hand.
But in having to compile the source, can one use Puppy's compiler or would one have to invest in a Windows compiler?

A binary is available at Mathew Garrett's site so there is no need to compile the Shim. It is the second stage which Puppy developers need to consider.

This is all unfamiliar to me but it seems that Puppy developers would have to "sign their UEFI bootloader (grubx64.efi) with a separate key, include this key on their installation medium and tell their users where to find the key when the Shim asks for it."_________________Classic Opera 12.16 browser SFS package for Precise, Slacko, Racy, Wary, Lucid, etc available here

Oops, somehow I missed seeing the signed binary files, so thanks for clarifying.

I am still not too sure about how secure the Secure Boot process is...

The Wiki about UEFI mentions about Secure Boot:

Quote:

Secure boot can also be placed in "Custom" mode, where additional public keys can be added to the system that do not match the private key.

Again, I wonder how easy it would be for thieves to access the data from a stolen notebook if they can boot up from a portable operating system.

In such a scenario, my initial thoughts are that one might be better off using True Crypt or similar software to protect ones data. That said, I learned from the Wiki there are other benefits from UEFI:

Note that I removed the footnote references from the quote, but in any event, the Wiki article is here.
So, I am assuming that if one disables UEFI, the system reverts to legacy bios setup in which case one loses those advantages.

Monsie_________________My username is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.

Depending on the BIOS, if one removed the internal battery for a bit and then put it back in, the BIOS settings would have been wiped out including any BIOS password allowing one to change the BIOS settings.
Security only takes one so far.
If I wanted data from a hard drive, I could remove it from the laptop and use a portable USB case to access data on that drive on another PC running any OS I chose.
So relying on UEFI for complete security only goes so far.
Encryption is still a good option.
But even with it, there are differences in the quality depending on the type of encryption software used.
It is best to keep sensitive data on external media carried separately from the laptop and not keep any personal sensitive data on the laptop other than say some hidden file identifying you as the owner and possibly contact information if it is found.

If you want to hear crazy, that would have been me when I had a PC, (now junk and gone), that had a small graphic file on it that contained nothing more than my written signature.
And that file no longer exists in any form as I overwrote it a few times before deleting it and then the hard drive it was on was destroyed by me also.

Depending on the BIOS, if one removed the internal battery for a bit and then put it back in, the BIOS settings would have been wiped out including any BIOS password allowing one to change the BIOS settings ...

If I wanted data from a hard drive, I could remove it from the laptop and use a portable USB case to access data on that drive on another PC running any OS I chose.

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot vote in polls in this forumYou cannot attach files in this forumYou can download files in this forum